Comments on: Attack of the URL Vulnerabilitieshttp://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities/
Information Security Think TankSat, 02 Feb 2013 17:50:40 +0000hourly1http://wordpress.org/?v=3.4.1By: pdphttp://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities/comment-page-1/#comment-37116
pdpThu, 26 Jul 2007 06:43:25 +0000http://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities#comment-37116Jordan, thanks for the good research. yes, it is very interesting. Have you taken snapshots of the registry tree for each setup? because now we can detect what's the cause of it. I have some very wild guess but it is good to have some proof. cheersJordan, thanks for the good research. yes, it is very interesting. Have you taken snapshots of the registry tree for each setup? because now we can detect what’s the cause of it. I have some very wild guess but it is good to have some proof. cheers
]]>By: Jordanhttp://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities/comment-page-1/#comment-37087
JordanThu, 26 Jul 2007 02:31:19 +0000http://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities#comment-37087Looks like I'm not the only person to observe that:
https://bugzilla.mozilla.org/show_bug.cgi?id=389580#c6Looks like I’m not the only person to observe that:

]]>By: Jordanhttp://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities/comment-page-1/#comment-37074
JordanThu, 26 Jul 2007 01:02:18 +0000http://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities#comment-37074pdp -- I realize that, but there's something else going on. Check this out to see what I mean:
XPSP2 with no patches + Firefox = Exploit fails
XPSP2 with all patches (sans IE7) + Firefox = Exploit fails
XPSP2 with all patches (including IE7) + Firefox = Exploit succeeds!
XPSP2 with no patches + Firefox + Thunderbird installed and configured = Exploit fails
XPSP2 with no patches except for IE7 + Firefox + Thunderbird = Exploit succeeds!
I've tried other combinations besides those, and the only way I can get the exploit to succeed is if IE7 is installed. If anyone's able to get the exploit working without IE7 installed, I'd be really curious to know.pdp — I realize that, but there’s something else going on. Check this out to see what I mean:

I’ve tried other combinations besides those, and the only way I can get the exploit to succeed is if IE7 is installed. If anyone’s able to get the exploit working without IE7 installed, I’d be really curious to know.

]]>By: pdphttp://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities/comment-page-1/#comment-37048
pdpWed, 25 Jul 2007 20:38:34 +0000http://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities#comment-37048Jordan, again, it depends on the URL handler for the <strong>mailto:</strong> protocol.
Adrian, yes, yes and yes.Jordan, again, it depends on the URL handler for the mailto: protocol.

Adrian, yes, yes and yes.

]]>By: Adrian Pastorhttp://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities/comment-page-1/#comment-37040
Adrian PastorWed, 25 Jul 2007 19:28:50 +0000http://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities#comment-37040It's very worrying how easy it is to exploit this vulnerability and how well it works.
I must research these URI handler bugs!It’s very worrying how easy it is to exploit this vulnerability and how well it works.

I must research these URI handler bugs!

]]>By: Jordanhttp://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities/comment-page-1/#comment-37038
JordanWed, 25 Jul 2007 19:26:11 +0000http://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities#comment-37038Ok, just ran it a second time after reverting the snapshot, and sure enough -- a base SP2 machine is /not/ vulnerable for some reason. Got the regmon logs, but I don't have the time to parse through them right now.
Here's a zip with a screenshot showing the exploit fail, regmon logs of the exploit both failing and then succeeding on the same machine just with and without patches:
http://www.psifertex.com/download/firefox-command-injection.zip
Maybe someone else can figure it out while I get back to pretending to work on this other project here at my office. ;-)Ok, just ran it a second time after reverting the snapshot, and sure enough — a base SP2 machine is /not/ vulnerable for some reason. Got the regmon logs, but I don’t have the time to parse through them right now.

Here’s a zip with a screenshot showing the exploit fail, regmon logs of the exploit both failing and then succeeding on the same machine just with and without patches:

Maybe someone else can figure it out while I get back to pretending to work on this other project here at my office. ;-)

]]>By: Jordanhttp://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities/comment-page-1/#comment-37036
JordanWed, 25 Jul 2007 19:00:42 +0000http://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities#comment-37036pdp -- there's something else involved in the process that's disrupting it.
I just grabbed all the updates for the SP2 machine, and /now/ the exploit works. Outlook Express is still registered as the mailto handler just like it was before I grabbed the updates.
So in short, install a standard SP2 machine. Exploit fails. Install latest security patches. Exploit succeeds.
Lemme verify it again and use regmon to trace the registry calls to see if I can find out what's different.pdp — there’s something else involved in the process that’s disrupting it.

I just grabbed all the updates for the SP2 machine, and /now/ the exploit works. Outlook Express is still registered as the mailto handler just like it was before I grabbed the updates.

Lemme verify it again and use regmon to trace the registry calls to see if I can find out what’s different.

]]>By: pdphttp://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities/comment-page-1/#comment-37032
pdpWed, 25 Jul 2007 18:48:50 +0000http://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities#comment-37032Jordan, the vector does not work if you have Outlook as a default <strong>mailto:</strong> handler. If your default Mail client is Thunderbird, then you shouldn't have any problem with launching the attack. BTW, try using other protocols. It works like a charm.Jordan, the vector does not work if you have Outlook as a default mailto: handler. If your default Mail client is Thunderbird, then you shouldn’t have any problem with launching the attack. BTW, try using other protocols. It works like a charm.
]]>By: Jordanhttp://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities/comment-page-1/#comment-37031
JordanWed, 25 Jul 2007 18:39:39 +0000http://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities#comment-37031Odd -- I've been trying to test this in a base XP image, with no luck. Does it really require SP2 to work? That'd be kind of ironic. Outlook Express is the default registered mail handler for mailto: on the test system I just installed into vmware. I'm going through the upgrades now, testing it at each step to see at what point it becomes vulnerable.Odd — I’ve been trying to test this in a base XP image, with no luck. Does it really require SP2 to work? That’d be kind of ironic. Outlook Express is the default registered mail handler for mailto: on the test system I just installed into vmware. I’m going through the upgrades now, testing it at each step to see at what point it becomes vulnerable.
]]>By: Larholm.com - Me, myself and I » Handling URL protocol handlershttp://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities/comment-page-1/#comment-37024
Larholm.com - Me, myself and I » Handling URL protocol handlersWed, 25 Jul 2007 18:01:57 +0000http://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities#comment-37024[...] Jesper Johanson has expressed his thoughts, as has David LeBlanc, Billy Rios, Window Snyder and pdp. Billy Rios just detailed yet another potential attack vector for protocol [...][...] Jesper Johanson has expressed his thoughts, as has David LeBlanc, Billy Rios, Window Snyder and pdp. Billy Rios just detailed yet another potential attack vector for protocol [...]
]]>By: pdphttp://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities/comment-page-1/#comment-36997
pdpWed, 25 Jul 2007 13:08:24 +0000http://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities#comment-36997good, cuz I am not saying anything either :)good, cuz I am not saying anything either :)
]]>By: Giorgio Maonehttp://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities/comment-page-1/#comment-36996
Giorgio MaoneWed, 25 Jul 2007 13:07:11 +0000http://www.gnucitizen.org/blog/attack-of-the-url-vulnerabilities#comment-36996I'm won't say anything ;)
http://noscript.net/changelog#1.1.6.07I’m won’t say anything ;)http://noscript.net/changelog#1.1.6.07
]]>